Compliance Solutions

DevOps makes software deployment faster but, without proper controls, that often means developers are also releasing security vulnerabilities and non-compliant applications more quickly. Organizations must learn how to decrease risk by shipping software quickly, but with higher efficiency and lower risk. The solution is to not deal with information security right before or even in production.

Organizations can achieve both speed and safety by extending Agile, Lean, and DevOps (ALDO) principles to their information security teams and by adopting automation tools, such as InSpec and Chef Automate. Tools like these turn compliance into code and integrate security into your full development cycle.

Information security lags behind and
becomes a barrier to velocity

Most organizations understand the value of speed. But when you ask those same organizations if they can deliver software continuously and remain compliant, their response is eye-opening.

In the 2017 Chef Compliance Survey, DevOps practitioners placed InfoSec and Compliance concerns at the bottom of their priorities. Information security is still seen to inhibit agility and speed.

15%

Operations Pros believe compliance policies slow them down

30%

InfoSec Pros believe compliance policies slow them down

Devops organizations still suffer without the right tools and processes for compliance

Industry data shows that the secret behind the success of high-performing DevOps teams is that they have expanded their scope to involve InfoSec in every phase of the software development process. However, there’s still plenty room for improvement. InfoSec policies are slow to implement, slow to audit, and are firmly situated in practices that pre-date the shift toward orienting around automation and high velocity. As a result, they are arguably ineffective.

Estimates are that, through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year or more.* Verizon’s Data Breach report shows that for the last three years, more than 88% of observed exploits can be accounted for by only nine known vulnerabilities.**

64%

Of DevOps organisations have to follow regulatory standards

73%

Assess Compliance after development has begun

59%

Assess code only after it’s in production

Both the speed of shipping and the speed of remediation are costly issues

In an era of rapidly developing threats and continually evolving compliance frameworks, what is becoming more alarming is the data relating to how long it takes most organizations to remediate their violations or vulnerabilities. When dozens or even hundreds of builds a day are deployed to production, that response time is simply unacceptable. And, keep in mind, these survey respondents practice DevOps.

15%

Need hours to
remediate

30%

Need days to
remediate

22%

Need weeks to
remediate

22%

Need months to
remediate

*Chef Software – Chef Compliance Survey 2017

Debunking the myth that safe can’t be fast

High-performing DevOps teams scale both speed and quality by shifting compliance into the software development process as part of their daily work, rather than retrofitting security at the end. With “shift left” testing (testing that integrates information security earlier in the development lifecycle, or to the left on the project timeline) developers are more likely to find errors before reaching production.

Tools that focus on managing compliance as code shift InfoSec assessments away from manual processes driven by binders full of policy documentation to a model where controls are instead expressed as executable, versionable, and human-readable code. These controls can be distributed as another set of tests any developer can incorporate into their existing workflow and toolchain. This code-driven approach builds on existing methods for collaboration already used by DevOps teams.

Bridging the compliance gap with InSpec and Chef Automate

InSpec is open source testing framework for infrastructure. It is a human-readable language for specifying compliance, security, and other policy requirements as tests. Teams can easily integrate these automated tests into any stage of their deployment pipeline.

Integrate InSpec with Chef Automate, Chef’s continuous automation platform, and you gain greater control over the detection and correction of issues, even in production. Across your entire fleet of servers and machines – no matter their environments – Automate provides analysis, reporting, and visualization based upon inSpec data. Users can even download pre-packaged CIS benchmarks to use as is, or to customize to their business or industry standards.